Symantec Security Threatcon Status for 2011-09-27

On September 21, 2011, Adobe released a patch to address a zero day universal cross site scripting vulnerability, in addition to other critical bugs. The vulnerability allows an attacker to steal information and inject arbitrary scripts into the victim's browser running Flash.

At present, there are reports of limited targeted exploitation in the wild. Google has been credited with reporting the bug, which was fixed in their Chome web browser one day in advance. The most likely attack vector is through enticing a victim to click on a spam link. Note that in June 2011, a similar zero day vulnerability was exploited to take control of Gmail mailbox of victims.

We recommend that customers apply the Flash player updates as soon as possible.

Adobe Security Bulletin - APSB11-26
Security updates available for Adobe for Adobe Flash Player
http://www.adobe.com/support/security/bulletins/apsb11-26.html